at least every 3 years
at least annually
significant changes
twenty-four (24) hours
eight (8) hours
eight (8) hours
at least annually
see additional Requirements and Guidance
see additional Requirements and Guidance
at least quarterly
at least every 3 years
at least annually
significant changes
at least annually
at least annually
at least annually
at least annually
at least one (1) year or 1 year after completion of a specific training program
at least every 3 years
at least annually
significant changes
successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes
organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event.
annually and whenever there is a change in the threat environment
overwrite oldest record
at least weekly
one second granularity of time measurement
a time period in compliance with M-21-31
all information system and network components where audit capability is deployed/available
at least every 3 years
at least annually
significant changes
at least annually
individuals or roles to include FedRAMP PMO
at least annually and on input from JAB/AO
at least monthly
in accordance with OMB A-130 requirements or when a significant change occurs
to include JAB/AO
at least annually
at least every 3 years
at least annually
significant changes
at least annually and when a significant change occurs
to include when directed by the JAB
at least monthly
Continuously (via CM-7 (5))
at least every 3 years
at least annually
significant changes
at least annually
*See Additional Requirements
at least annually
at least annually
at least every 3 years
classroom exercise/table top written tests
daily incremental; weekly full
daily incremental; weekly full
daily incremental; weekly full
at least every 3 years
at least annually
significant changes
at a minimum, the ISSO (or similar role within the organization)
at least two (2) years
at least every 3 years
at least annually
significant changes
ten (10) days for privileged users, thirty (30) days for Incident Response roles
at least annually
at least annually
US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)
at least annually
see additional FedRAMP Requirements and Guidance
see additional FedRAMP Requirements and Guidance
at least every 3 years
at least annually
significant changes
at least every 3 years
at least annually
significant changes
techniques and procedures IAW NIST SP 800-88 Section 4: Reuse and Disposal of Storage Media and Hardware
at least every 3 years
at least annually
significant changes
at least annually
CSP defined physical access control systems/devices AND guards
in all circumstances within restricted access area where the information system resides
at least annually
at least annually
at least monthly
for a minimum of one (1) year
at least monthly
consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments
continuously
all information system components
at least every 3 years
at least annually
significant changes
at least annually
at least every 3 years
at least annually and when the rules are revised or changed
at least annually and when a significant change occurs
at least every 3 years
at least annually
significant changes
at least every three years
for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance.
For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions
four (4) hours
twenty-four (24) hours
twenty-four (24) hours
at least annually
at least annually and any time there is a change to the user's level of access
including access control personnel responsible for the system and/or facilities, as appropriate
within twenty-four (24) hours
at a minimum, the ISSO and/or similar role within the organization
at least every 3 years
at least annually
significant changes
security assessment report
at least every three (3) years and when a significant change occurs
at least every three (3) years
monthly operating system/infrastructure; monthly web applications (including APIs) and databases
high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery
prior to a new scan
at least every 3 years
at least annually
significant changes
at a minimum, the ISSO (or similar role within the organization)
Appropriate FedRAMP Security Controls Baseline (s) if Federal information is processed or stored within the external system
Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored
at least every 3 years
at least annually
significant changes
Protect against
at a minimum: ICMP (ping) flood, SYN flood, slowloris, buffer overflow attack, and volume attack
In accordance with Federal requirements
FIPS-validated or NSA-approved cryptography
no exceptions for computing devices
all information system components storing Federal data or system data that must be protected at the High or Moderate impact levels
at least every 3 years
at least annually
significant changes
within thirty (30) days of release of updates
signature based and non-signature based
at least weekly
to include endpoints and network entry and exit points
to include blocking and quarantining malicious code
administrator or defined security personnel near-realtime
to include US-CERT and Cybersecurity and Infrastructure Security Agency (CISA) Directives
to include system security personnel and administrators with configuration/patch-management responsibilities
to include chief privacy and ISSO and/or similar role or designees
at least every 3 years
at least annually
significant changes
at least annually
notification of supply chain compromises and results of assessment or audits
all
Determine if the organization defines information system account types to be identified and selected to support organizational missions/business functions.
Access control policy; procedures addressing account management; security plan; information system design documentation; information system configuration settings and associated documentation; list of active system accounts along with the name of the individual associated with each account; list of conditions for group and role membership; notifications or records of recently transferred, separated, or terminated employees; list of recently disabled information system accounts along with the name of the individual associated with each account; access authorization records; account management compliance reviews; information system monitoring records; information system audit records; other relevant documents or records.
Organizational personnel with account management responsibilities; system/network administrators; organizational personnel with information security responsibilities.
Organizational processes for account management on the information system; automated mechanisms for implementing account management.
NSO for non-privileged users. Attestation for privileged users related to multi-factor identification and authentication.
FED - This is related to agency data and agency policy solution.
FED - This is related to agency data and agency policy solution.
NSO - All access to Cloud SaaS are via web services and/or API. The device accessed from or whether via wired or wireless connection is out of scope. Regardless of device accessed from, must utilize approved remote access methods (AC-17), secure communication with strong encryption (SC-13), key management (SC-12), and multi-factor authentication for privileged access (IA-2[1]).
NSO - All access to Cloud SaaS are via web service and/or API. The device accessed from is out of the scope. Regardless of device accessed from, must utilize approved remote access methods (AC-17), secure communication with strong encryption (SC-13), key management (SC-12), and multi-factor authentication for privileged access (IA-2 [1]).
NSO - Loss of availability of the audit data has been determined to have little or no impact to government business/mission needs.
NSO - Loss of availability of the audit data has been determined as little or no impact to government business/mission needs.
Condition: There are connection(s) to external systems. Connections (if any) shall be authorized and must: 1) Identify the interface/connection. 2) Detail what data is involved and its sensitivity. 3) Determine whether the connection is one-way or bi-directional. 4) Identify how the connection is secured.
Attestation - for compliance with FedRAMP Tailored LI-SaaS Continuous Monitoring Requirements.
Condition: There are connection(s) to external systems. Connections (if any) shall be authorized and must: 1) Identify the interface/connection. 2) Detail what data is involved and its sensitivity. 3) Determine whether the connection is one-way or bi-directional. 4) Identify how the connection is secured.
Required - Specifically include details of least functionality.
The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available.
The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) (http://scap.nist.gov/) validated or SCAP compatible (if validated checklists are not available).
Information on the USGCB checklists can be found at: https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline.
NSO- Not directly related to protection of the data.
NSO - Boundary is specific to SaaS environment; all access is via web services; users' machine or internal network are not contemplated. External services (SA-9), internal connection (CA-9), remote access (AC-17), and secure access (SC-12 and SC-13), and privileged authentication (IA-2[1]) are considerations.
NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs.
NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs.
NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs.
NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs.
NSO for non-privileged users. Attestation for privileged users related to multi-factor identification and authentication - specifically include description of management of service accounts.
FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP.
Determine if the information system:
Condition: Must document and assess for privileged users. May attest to this control for non-privileged users. FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP.
Condition: Must document and assess for privileged users. May attest to this control for non-privileged users. FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP.
Attestation - Specifically attest to US-CERT compliance.
Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
The service provider measures temperature at server inlets and humidity levels by dew point.
Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
Attestation - Specifically stating that any third-party security personnel are treated as CSP employees.
Condition: If availability is a requirement, define protections in place as per control requirement.
Condition: If implementing need to detail how they meet it or don't meet it.
NSO - Not directly related to the security of the SaaS.
Attestation - Specifically related to US-CERT and FedRAMP communications procedures.
FedRAMP Logo